“A payday loan company hit by a breach that compromised the bank details of more than 200,000 people!”
“A famous supermarket chain fell victim to a data breach that led to the leakage of 60,000 employee’s payroll data.”
“Hospital based in the UK was fined £300,000 for the theft of thousands of patient’s data. The stolen data was up for sale on a local website.”
How many times have we come across such appalling data breaches?
Countless times, you say?
So does the 2019 Thales Data Threat Report, that says that 65% of US companies have experienced a data breach!
That is exactly what paved the path for data privacy laws.
The California Consumer Protection Act (CCPA) is the newest kid on the data privacy block, and came into effect in January 2020.
In this blog post, we are sharing 6 steps you must take to ensure your company complies with CCPA. Let’s get started!
1. Find out if CCPA impacts your company
The California Consumer Privacy Act gives any Californian consumer the right to see all the information a company has saved on them, as well as the entire list of third party companies that their data is shared with.
Additionally, the law allows consumers to sue companies, in case of any privacy guidelines being violated or in case of a breach.
CCPA applies to any profit organization that –
- Collects personal information of consumers
- Conducts any form of business in California
- Has a gross revenue of $25 million or more, collects personal data for 50,000 or more consumers, and obtains half of its yearly data by selling personal data
2. Update privacy disclosures
The Californian law requires you to issue a notice to inform your customers what information has been collected and for what reason. It must clearly inform consumers that they can opt-out of data collection if they wish.
You must decide whether you want to have separate policies for California residents or just have a single CCPA-compliant policy for all consumers irrespective of their location.
Your privacy notice must mention the following pointers:
- All categories of personal information collected by your company
- Where you gather personal information from
- Types of third parties you share the information with
- The purpose for which you will use the information
Make sure you put your disclosure in a public location so it is easy for everyone to see.
3. Make opting-out simple
In addition to making your privacy disclosures public, you should also be able to provide an opportunity for your consumers to easily opt-out. Doing so ensures that your company doesn’t sell their personal information.
Introduce a “Do Not Sell My Personal Information” link on your homepage that your users can check to prohibit the selling of their personal data.
4. Maintain data processing activities
The data privacy law requires businesses to create and regularly update a database to track their data privacy activities. It must also include data from products, devices, apps, and third parties.
If you’re already GDPR-compliant, then it is a good head start. But CCPA requires a few additional steps. These steps include –
- Identifying if data is sold
- Disclosing which categories of information are sent to third parties
- Determining which of the personal information is covered by HIPAA or any other law that would exempt the data from the scope of the CCPA
- Recognizing which data was collected 12 months prior to the enactment of the CCPA, which could be excluded
5. Determine how you handle customer requests
Under CCPA, your organizations should be able to respond to customer requests about how their personal information is handled. For this, you need a step-by-step process in place that determines how your teams will handle these requests/inquiries.
The Californian law states that organizations must provide answers within 45 days of the request, free of charge. You need to ascertain how you provide the following types of services –
- Delete the personal information of customers who request to do so
- Explain the categories of information available with you
- Provide consumers copies of all the information you have
- Opt-out customers who are 16 years old and over from the sale of personal data
- Obtain guardian consent to sell personal data of consumers under 13 years old However, if the data is of someone who is 13-16 years old, businesses can obtain authorization from the minor itself.
6. Ensure consumers’ rights
The law empowers Californian consumers with the right to:
- Determine the categories of personal information being collected
- Know who their information is being sold or disclosed to
- Refuse the sharing/sale of their information to any third-party
- Access all their personal information held by an organization
- Equal service and price, even if any privacy rights created by the CCPA are exercised
A data breach is like a ‘breaking and entering’ of your house. The obvious solution is to lock all the doors to prevent burglars from stealing your data. This can be done by strictly following CCPA security procedures and practices. So, start strengthening your data security measures, train your teams, and update your software and systems to get started. Not being able to do so will result in your company shelling out a penalty anywhere between $2500 to $7500!
It is time to put on your Batman suit and beat the joker!
Team Grazitti Can Help You Prepare for CCPA the Right Way! Contact Us.